Trojan distributed as 8 Ball Pool game hack (Dec 18, 2015)

/in /by

The Dell SonicWALL Threats Research team has received a sample of a backdoor Trojan posing as a game hack. Cheats for games often contain malware and that might not come as a surprise to many. But as a game becomes more popular, cybercriminals take advantage of eager gamers with a promise to help unlock abilities or perhaps accumulate enough credits to buy something to progress in a game and these shortcuts make them more appealing. The sample we received is posing as a cheat to a top ranking free sports game. In fact, searching for 8 Ball Pool game online yields keywords suggestions such as “hack” and “cheats.”

Infection Cycle

The Trojan arrives as a file named “hack 8 ball pool.exe.” Upon execution, it copies itself to the following directory:

  • %TEMP%chrome.exe

In order to start after reboot the Trojan adds the following keys to the registry:

  • HKLMsoftwaremicrosoftwindowscurrentversionrun[8ce73491bf190a3fd7028c92bd3331b1] “%TEMP%chrome.exe”

To bypass the windows firewall it adds the following to the registry:

  • HKLMsystemcurrentcontrolsetservicessharedaccessparametersfirewallpolicystandardprofileauthorizedapplicationslist [%TEMP%chrome.exe]

It then makes the following DNS query:

Figure 1: DNS query to hackernople.no-ip.biz

It subsequently then starts to send information such as the current date, the victim’s computer name, user name, operating system and IP to a remote server:

Figure 2: Trojan sending personal information to a remote C&C server

We have also noticed the Trojan sending desktop screenshots to a remote server:

Figure 3: Trojan sending screenshots in a JPG format to a remote C&C server

This Trojan is capable of deleting files from a victim’s machine. During our analysis, it deleted security tools such as processxp and tcpview.

Figure 4: Trojan sending a confirmation of removal of processes such as procexp.exe and tpcview.exe

It is also capable of downloading additional malicious components. During our analysis, it downloaded a password recovery tool called “WebBrowserPassView” on to the victim’s machine and installed it. This tool can be used to reveal passwords stored in the victim’s internet browsers.

Figure 5: Packets showing the infected machine receiving an executable

Figure 6: Receiving command to execute and install WebBrowserPassView

This Trojan is capable of deleting data, possibly disrupting services and stealing information and therefore poses a big threat depending on the sensitivity of data stolen from the victim. It makes it even more pervasive as it banks on the popularity of the game it pretends to be and with its capability to download and install more components, victims will likely end up with multiple malware infections in their computer systems.

Dell SonicWALL Gateway AntiVirus provides protection against this threat with the following signature:

  • GAV: Barys.RAT (Trojan)

iPower Technologies Arrests Hidden Malware from Body Cameras with SonicWall Firewalls

/0 Comments/in /by

Note: This is a guest blog by Jarrett Pavao CEO iPower Technologies Inc., a Premier Partner for SonicWall Security, in South Florida.

Every day viruses, malware and trojans infect IT infrastructure through a growing number of mobile devices. With the growth of Internet of Things (IoT), this threat is rapidly increasing. We are faced with viruses potentially infiltrating almost every connected device – even brand-new law enforcement body cameras.

That’s right, even the people sworn to protect are exposed to these threats. Here at iPower Technologies, we never ceased to be amazed at the lengths that the bad guys will go to break into networks. That’s why it’s important that organizations have comprehensive network security that protects their associates whether they are working in the field, at home or in the office. As more of our everyday devices become “smart” and “connected”, they bring great convenience to our private and professional lives, but also provide an access point to infect entire networks and wreak havoc. This potential threat may even come from new equipment straight out of the box.

As the CEO of iPower Technologies, my team based in Boca Raton recently discovered malware on the body cameras used by one of our law enforcement clients. As a SonicWall Security Premium Partner, we follow strict protocols and we regularly audit and scan our clients’ IT infrastructure and endpoint devices, including body cameras used by our law enforcement customers. With SonicWall next-generation firewalls, we were able to detect the virus before it infected the entire network and potentially put critical data at risk. These cameras leverage geolocation/GPS capabilities, meaning that the malware could be used to track law enforcement locations.

Discovery: Conficker Worm

We discovered the malware during testing of body camera equipment for one of our law-enforcement clients. iPower engineers connected the USB camera to one of our computers. When he did that, multiple security systems on our test environment were alerted to a new threat. It turned out to be a variant of the pervasive Conficker worm and we immediately quarantined it. A second camera was connected to a virtual lab PC with no antivirus. The SonicWall next-generation firewall immediately notified iPower of the virus’ attempt to spread on the LAN and blocked the virus’ from communicating with command-and-control servers on the public internet.

Prevention

Like body armor that peace officers wear, taking precautions and preventive measures is the best defense to stopping and limiting damage from attacks. Fortunately for our clients, my iPower team has the expertise to recognize active threats along with the support of the  SonicWall Threat Research team to prevent successful attacks. In this specific case, the threat was stopped before it could do any damage and an alert for the Confiker worm was issued.

Any network with a properly deployed  SonicWall next-gen firewall would have contained the attack to a local device, such as the USB port, and not to the entire network.

Sonicwall Next Generation firewalls have multiple security features including the ability to inspect encrypted traffic, and leverage deep packet inspection (DPI) technology. See the diagram below for an example of how to prevent a virus or worm like Conficker from spreading from a PC to your servers:

Examine Smart Devices before Deploying

It’s a matter of policy for us at iPower to test all equipment before we install on a client’s network. If you don’t have a test environment – or have access to one – I strongly suggest that you make the investment. It can pay for itself in preventing embarrassing events at the client site, as well as increase internal staff knowledge that can then be applied in the real world. So do test every device you plan to install or connect to your client’s network.

Make that sure testing is a matter of policy by having a strict written policy regarding the implementation of any new hardware or software. Test any new systems being added to your corporate network in a sandbox environment prior to deployment. We don’t know for sure how the malware got onto the body cameras. It could have happened in any number of the manufacture, assembly and – ironically – QA testing stages. I think the most likely reason is due to lack of manufacture controls and outsourced equipment production. It seems innocuous enough. It’s just a camera, but the potential of the worm could have devastating, even tragic, ramifications if it had been able to gain remote code execution inside a network. Attackers could then harvest police database for Personal Identifiable Information (PII). This can be used to forge fake identities, etc.

This threat is real and growing. When you extrapolate this threat out to common smart devices, such as connected refrigerators and thermostats and the general lack of security knowledge in the home and SMB markets, you have a potentially massive challenge. So again, any device that will be placed on the same network as servers, databases, or could potentially access a corporate network need to be checked out and properly aligned with security best practices.The best way to do this is careful network design, including intra-VLAN inspection on SonicWall next-generation firewalls is a great way to protect critical infrastructure from high risk PCs and IoT devices.

Jenkins CI Server Commons-Collections Library Insecure Deserialization

/in /by

Jenkins is an continuous integration (CI) tool. It is written in Java and is open source. It builds and tests software continuously. It also tracks the status of existing jobs. It supports various version control systems such as subversion, git, perforce, etc.

To remotely administer Jenkins, included is a command line interface (CLI) tool called jenkins-cli.jar. Using this tool, commands can be sent to Jenkins server. Jenkins server processes these commands using Remoting. To achieve remoting, objects are serialized by the client and they are de-serialized by the server. An insecure deserialization vulnerability (CVE-2015-8103) exists in the server due to the deserialization of untrusted data that is processed by vulnerable version of Apache Commons Collections library. The vulnerability can be exploited by unathenticated remote attacker by sending specially crafted serialized object. Successful exploitation can lead to execution of arbitrary commands on the server. The problem is located in readObjecT() method in ‘connection.class’ class file.

Deserializing untrusted data while vulnererable Apache Commons Collections classes are included leads to the vulnerability. Such classes are, for example:

  • InvokerTransformer
  • ForClosure
  • CloseTransformer

to name a few. The untrusted data eventually passes down to ‘runtime.exec()’ method where arbitrary code gets executed. Below is the applied fix. The fix filters a list of classes that are considered unsafe:

Vulnerable versions:

  • Jenkins Jenkins 1.637 and prior
  • Jenkins Jenkins LTS releases 1.625.1 and prior

Dell Sonicwall has written the following signature that protects our customers from attacks agains this vulnerability:

  • 11314.Jenkins CLI Remote Code Execution

Dridex module leaks system info and potentially more. (Dec 11th, 2015)

/in /by

The Dell Sonicwall UTM research team have discovered a Dridex info stealer module that leaks system information as well as potentially modifying certificates stored on the system.

Infection Cycle:

Upon infection the Trojan sends the following systen information to a remote C&C server:

The following encrypted conversation was then observed:

The Trojan drops the following file: 2FE.tmp.mod [Detected as GAV: Dridex.OOVO (Trojan)] on the infected system:

2FE.tmp.mod contains the following strings:

  • Mozilla/4.0 (Mozilla/4.0; MSIE 7.0; Windows NT 5.1; FDM; SV1; .NET CLR 3.0.0
  • CryptSIPDllGetSignedDataMsg
  • CryptDllExportPublicKeyInfoEx
  • CryptDllImportPublicKeyInfoEx
  • CryptDllEncodePublicKeyAndParameters
  • CryptDllConvertPublicKeyInfo
  • CertDllVerifyRevocation
  • CertDllVerifyCTLUsage
  • CertDllOpenSystemStoreProv
  • CertDllRegisterSystemStore
  • CertDllUnregisterSystemStore
  • CertDllEnumSystemStore
  • CertDllRegisterPhysicalStore
  • CertDllUnregisterPhysicalStore
  • CertDllEnumPhysicalStore
  • CryptDllExportPrivateKeyInfoEx
  • CryptDllImportPrivateKeyInfoEx
  • CertDllVerifyCertificateChainPolicy
  • CryptMsgDllExportEncryptKey
  • CryptMsgDllImportEncryptKey
  • CryptMsgDllGenContentEncryptKey
  • CryptMsgDllImportKeyTrans
  • CryptMsgDllImportKeyAgree
  • CryptMsgDllImportMailList

These strings suggest intent to inspect or manipulate certificates on the infected system.

On our infected test system the following data was encrypted an leaked to a C&C server:

SonicWALL Gateway AntiVirus provides protection against this threat via the following signatures:

  • GAV: Dridex.AA_3 (Trojan)
  • GAV: Dridex.OOVO (Trojan)

Higher Education Makes Cybersecurity a High Priority – Are You Prepared?

/0 Comments/in /by

Digital natives predominantly compose the student body at today’s education institutions, and technological advancements have created unprecedented opportunities for personalized learning. BYOD and other emerging technologies have allowed school districts, colleges, and universities to become more effective, inclusive, and collaborative.

With the proliferation of devices now on the network, however, IT administrators are now faced with the enormous task of empowering end-users to capitalize on the benefits of increased mobility and connectivity, while also ensuring the integrity of the organization’s network and data. In our current threat environment, it is more critical than ever that schools, colleges and universities develop an overarching, end-to-end security approach that aligns with the institution’s mission.

A recent SonicWall survey, conducted in partnership with the Center for Digital Education, targeted higher education IT professionals, including executives (CIO, CISO, VP of IT, etc.), IT Directors and network managers to assess the state of network security on college campuses. A key takeaway from the study, however unsurprising, is that 73 percent of respondents rank cybersecurity high or very high among their institution’s technology priorities.

Just as cybersecurity has become a priority across industry and government, higher education institutions are shining a brighter spotlight on security – and for good reason. While educational institutions rank their ability to detect and block cyber attacks relatively high, with 65 percent citing their abilities as good or excellent, only 17 percent indicate that they have not experienced a network breach/incident in the past year. This statistic is indicative of the fact that cyber threats are continuing to increase in both frequency and sophistication in every industry.

In response to the growing threat of data breaches, 77 percent of survey respondents indicate they expect to spend more on network security in the next 12 months and 63 percent expect to spend more on secure access to data and applications. This is an encouraging statistic, as it reflects increased awareness around the need to strengthen security and mitigate risk.

In our hyper-connected world, a strong security posture is a strategic investment for education at all levels. IT administrators and decision makers across the education industry need to address the continually growing role of technology on campus by implementing end-to-end security solutions that protect all data and endpoints, old and new. Holistic, end-to-end security that utilizes identity access management, next-gen firewalls, endpoint security and efficient patch management allows school districts, colleges and universities to confidently and securely offer the benefits of increased mobility and other IT advances to their faculty and students.

For more details from the survey, view the on-demand webcast “Network Security in Education: The changing landscape of campus data security.” In this November 2015 webinar, Larry Padgett of the School District of Palm Beach County reviews how his district – the 10th largest in the United States — is leveraging people, processes, and SonicWall next-generation firewalls to protect a network serving 189,000 students and staff in nearly 200 sites. SonicWall Security’s Ken Dang joins Larry in this Education Dive webinar.

Register for Webcast

Network Security Designs for Your Retail Business

/0 Comments/in , /by

The 2015 Verizon Data Breach Investigations Report (DBIR) estimate of $400 million financial loss from security breaches show the importance of managing the breaches and ensuring appropriate security infrastructure is put in place. Retail industry saw high-profile retail breaches this year through RAM scraping malware aimed at point-of-sale (POS) systems. The security breaches affect both large and small organizations. According to Verizon 2015 DBIR, attackers gained access to POS devices of small organizations through brute-force while larger breaches were a multi-step attack with some secondary system being breached before attacking the POS system. This article highlights the key design considerations to build and deploy a secure, scalable and robust retail network.

Secure Network Design Considerations

Organizations need to ensure that their networks are resilient, secure and robust. Security solution put in place must not be a knee-jerk reaction to an attack but rather a comprehensive protection solution. A typical retail location requirement includes support for POS systems, Guest Wi-Fi access, Employee access to restricted resources, third party vendor access to limited resources and reliable Internet connection with no downtime. Given these requirements, following strategies are recommended in the retail network design –

1. Network Segmentation – It is important to segment the retail network into multiple networks. This ensures that an attack on a particular device in a network does not infest the entire network. A simple, flat network design is an easy access for an infested POS terminal to bring the entire network down. Create separate networks for – POS terminals, Guest Wi-Fi devices, Employee access to restricted information and 3rd party vendor access (limited & appropriate access).

2. Access Control – Install strict access controls on all network segments to ensure how devices communicate within and across network segment(s).

3. VPN Tunnels – Create site-to-site VPN tunnels between retail location and centralized data center location to ensure all traffic originating from a POS system is always encrypted. Typically customer sensitive credit card information is encrypted when validating over internet. However, simple management data such as login credentials may not be encrypted and could pose an entry point for a security breach.

4. Security – SonicWall 2015 Annual Threat Report findings show 109% increase in the encrypted connection traffic from last year. This potentially means that attackers could be using encryption as a way to hide their malware from firewalls. It is imperative to use a Next-Generation Firewall (NGFW) that performs deep packet inspection on all traffic including encrypted ones. Deep packet inspection services such as Intrusion Prevention, Malware detection and Content Filtering are strongly recommended to reduce the risk of intrusions and malware attacks. Additionally, enable endpoint anti-virus on all POS terminals for increased security.

5. Reliability – Retail networks need to be secure, and fault tolerant with zero-downtime. For fault tolerance at smaller retail location, it is recommended to use 3G/4G backup failovers with a multi-ISP provider strategy. For heavier traffic retail location, NGFWs deployed in High-Availability mode provides for un-interrupted connectivity.

6. Guest Wi-Fi – Retail locations are increasingly using guest Wi-Fi access as a means to increase their business and stickiness with customers. For guest Wi-Fi, create a locked-down Internet-only network access for visitors or untrusted network nodes. Choose a solution that provides guest services with the latest wireless technology such as 802.11ac for increased bandwidth.

The SonicWall Next Generation Firewall based security solution provides an integrated approach to addressing all the requirements of a typical retail network. For more information on best practices for securing your retail network, download this white paper.

DOWNLOAD EBOOK

The Holiday Online Shopping Season is Coming Is Your Network Prepared?

/0 Comments/in /by

Now that Halloween is over, it’s time for the holiday online shopping season to kick in, beginning on Black Friday, continuing through Cyber Monday, and finishing up on New Year’s day. For a lot of people it’s time to start spending money.

When we shop for the holidays many of us like to do it online. The National Retail Federation indicates that more than half of U.S. consumers plan to make at least some of their holiday purchases online this year. Why? Well, we can do it from anywhere at any time. It’s convenient. That includes shopping from work.

What does it mean to your organization? Well, there’s a good chance your employees will spend some of their work time shopping online over the next six weeks. Is that a potential problem? If you consider the security of your network, the productivity of your employees and the use of network bandwidth important to your organization, then the answer is yes, and here’s why.

Online shopping at work introduces security risks. For example, employees may inadvertently create opportunities for malicious attacks directed at your organization. An “attack or threat vector” is the means a hacker uses to gain access to one or more systems or servers on your network. Through the attack vector, the hacker can compromise systems on your network and deliver a malicious payload, the most common being a virus, worm, trojan or spyware. A common threat vector around the holidays is phishing. Phishing is an email fraud method in which the perpetrator sends out a legitimate-looking email instructing recipients to go to the fake website of a reputable business such as FedEx or UPS. The site will attempt to collect personal information such as the user’s name, passwords, social security number and credit card details. Another attack vector you may come across is “malvertising,” or “malicious advertising,” which is a threat that uses online advertising to spread malware. The malware can then capture information from an infected machine, or send probes around the network to find servers and other systems that can be compromised.

The security of your network isn’t the only issue your organization faces during the holiday buying season. Employees are exercising more freedom for personal activities such as online shopping during work hours. This is concerning. Why? Well, they’re shopping on company time so they’re not as productive and it’s likely they’re connecting to sites through the corporate network which could lead to a security risk as well as a misappropriation of valuable bandwidth.

Speaking of your bandwidth, there’s the question of how it’s being used. With likely over half of your employees shopping online at some point during the holidays, the bandwidth available to critical applications on your network is going to disappear. Therefore, it’s critical to prevent vital bandwidth from being consumed by non-productive web use such as online shopping, streaming music and watching HD videos which can all have a negative impact on network performance if left unchecked.

What can you do to secure your network, improve employee productivity and get the most out of your bandwidth during the holiday online shopping season? Here are a few tips:

  • Get a next-generation firewall. If you don’t have one already, next-generation firewalls secure inbound and outbound traffic from threats, provide you the tools to determine which websites your employees can and can’t access (hint – online shopping sites) and allow you to identify and control the apps used on your network and how much bandwidth you want to allocate to them. Not only that, with more websites moving to SSL encryption, it’s important that the next-generation firewall be able to decrypt and inspect encrypted traffic for threats.
  • Help your employees learn how to avoid malvertising and recognize phishing emails. Be alert for suspicious emails and links to unknown websites.
  • Educate employees to use different passwords for every account and establish policies for strong passwords.
  • Many attacks are based on known vulnerabilities in recognized browsers, as well as in plug-ins and common apps. Therefore it’s critical to apply updates and patches promptly and reliably.
  • It’s a good idea to use tools that allow IT managers to monitor the use of network applications. It’s called “Application Intelligence” and it can help you determine if anyone is violating company policies or simply visiting sites that have no business purpose such as online shopping.

SonicWall offers a complete range industry-leading next-generation firewalls including the NSA Series that integrate numerous advanced features for deep packet inspection such as Anti-Malware, Intrusion Prevention, Application Intelligence and Control, Content and URL Filtering and SSL Decryption and Inspection.

Take Control of Your Network During the Holiday Shopping Season

/0 Comments/in /by

It’s the holiday season and that means we’re all busy with fun activities. Take online shopping for example. Many of us will do it between Black Friday and New Year’s, even for just a little while. Some of us do it at work. When employees spend time shopping online during work hours it presents challenges for any organization. Perhaps the three biggest challenges are network security, employee productivity and bandwidth consumption.

How popular is online shopping? Last year, data from the National Retail Federation (NRF) revealed that retail holiday buying increased 4.1% to just over $600 billion. Much of that shopping was done online. This year the NRF is forecasting retail sales of $630 billion, up 3.7% over 2014. According to an NRF survey almost half of all holiday shopping, whether it’s making a purchase or merely browsing, will again be done online this year. Let’s take a look at the impact this has on organizations and the steps you can take to overcome the challenges online shopping poses.

Network security

  • Malware – Employees who shop online at work inadvertently create opportunities for malicious attacks directed at your network and your organization. The most common threats are viruses, worms, Trojans and spyware.
  • Phishing – Phishing is an email fraud method in which the perpetrator sends out a legitimate-looking email in an attempt to gather personal and financial information from unsuspecting recipients.
  • Malicious advertising – Commonly referred to as “malvertising,” this threat uses online advertising to spread malware which can then capture information such as credit card and social security numbers from infected machines.

Employee productivity

  • The big drain – With workers bringing their own smartphones and tablets into the office, we’re seeing an increased blurring of the line between work life and personal life as employees exercise more freedom to use these devices for personal activities such as online shopping during work hours. When they’re shopping on company time it means they’re not working so their productivity has decreased.

Bandwidth consumption

  • Disappearing bandwidth – With about half of your employees shopping online during the holidays, the bandwidth available to critical applications on your network is going to disappear. Therefore, it’s critical to prevent vital bandwidth from being consumed by non-productive web use.

While you can’t completely eliminate threats to your network, drops in productivity and misuse of valuable bandwidth, there are measures you can take that are well within the reach of your organization simply by practicing good digital hygiene. Here are five things your organization can do to reduce the risks of a successful attack while maintaining productivity levels and conserving bandwidth.

  1. Help employees learn how to avoid malvertising and recognize phishing emails. Be on the lookout for suspicious emails and links, especially those requesting sensitive information.
  2. Educate employees to use different passwords for every account. Establish policies for strong passwords such as guidelines regarding password length, the use of special characters and periodic expiration, and reduce the number of passwords through single sign-on.
  3. Because many attacks are based on known vulnerabilities in browsers including Internet Explorer, as well as in plug-ins and common apps, it’s critical to apply updates and patches promptly and reliably. They will contain fixes that can block exploits.
  4. Make sure you install an intrusion prevention system and gateway anti-malware technology on your network. They add important layers of protection by blocking Trojans, viruses, and other malware before they reach the company network. They can also detect and block communications between malware inside the network and the cybercriminal’s server on the outside.
  5. Take back control of your network by limiting the use of your bandwidth to business-related activities. There are several technologies available such as content and URL filtering that can be used to prevent employees from visiting websites dedicated to shopping and other non-productive topics. Also, application control provides the tools to restrict the use of applications such as social media to employees who have a business reason to use them.

SonicWall offers a complete range industry-leading next-generation firewalls that secure your network from threats and give you the controls to keep employee productivity high and bandwidth focused on business-critical applications. To learn more about how these solutions can help you during the holiday shopping season and beyond, please visit our website.

Microsoft Security Bulletin Coverage (December 8, 2015)

/in /by

Dell SonicWALL has analyzed and addressed Microsoft’s security advisories for the month of December 8, 2015. A list of issues reported, along with Dell SonicWALL coverage information are as follows:

MS15-124 Cumulative Security Update for Internet Explorer

  • CVE-2015-6083 Internet Explorer Memory Corruption Vulnerability
    IPS: 11316 “Internet Explorer Memory Corruption Vulnerability (MS15-124) 1”
  • CVE-2015-6134 Internet Explorer Memory Corruption Vulnerability
    There are no known exploits in the wild.
  • CVE-2015-6135 Scripting Engine Information Disclosure Vulnerability
    IPS: 11317 “Microsoft Scripting Engine Information Disclosure Vulnerability (MS15-124) “
  • CVE-2015-6136 Scripting Engine Memory Corruption Vulnerability
    IPS: 11324 “Microsoft Scripting Engine Memory Corruption Vulnerability (MS15-124) “
  • CVE-2015-6138 Internet Explorer XSS Filter Bypass Vulnerability
    There are no known exploits in the wild.
  • CVE-2015-6139 Microsoft Browser Elevation of Privilege Vulnerability
    There are no known exploits in the wild.
  • CVE-2015-6140 Microsoft Browser Memory Corruption Vulnerability
    IPS: 11325 “Microsoft Browser Memory Corruption Vulnerability (MS15-124) 1 “
  • CVE-2015-6141 Internet Explorer Memory Corruption Vulnerability
    IPS: 7645 “HTTP Client Shellcode Exploit 88 “
  • CVE-2015-6142 Microsoft Browser Memory Corruption Vulnerability
    IPS: 11326 “Microsoft Browser Memory Corruption Vulnerability (MS15-124) 2”
  • CVE-2015-6143 Internet Explorer Memory Corruption Vulnerability
    IPS: 11318 “Internet Explorer Memory Corruption Vulnerability (MS15-124) 3”
  • CVE-2015-6144 Microsoft Browser XSS Filter Bypass Vulnerability
    There are no known exploits in the wild.
  • CVE-2015-6145 Internet Explorer Memory Corruption Vulnerability
    IPS: 3930 “Internet Explorer Memory Corruption Vulnerability (MS15-124) 2”
  • CVE-2015-6146 Internet Explorer Memory Corruption Vulnerability
    There are no known exploits in the wild.
  • CVE-2015-6147 Internet Explorer Memory Corruption Vulnerability
    IPS: 11319 “Internet Explorer Memory Corruption Vulnerability (MS15-124) 4”
  • CVE-2015-6148 Microsoft Browser Memory Corruption Vulnerability
    There are no known exploits in the wild.
  • CVE-2015-6149 Internet Explorer Memory Corruption Vulnerability
    IPS: 7645 “HTTP Client Shellcode Exploit 88 “
  • CVE-2015-6150 Internet Explorer Memory Corruption Vulnerability
    IPS: 11320 “Internet Explorer Memory Corruption Vulnerability (MS15-112) 1”
  • CVE-2015-6151 Microsoft Browser Memory Corruption Vulnerability
    There are no known exploits in the wild.
  • CVE-2015-6152 Internet Explorer Memory Corruption Vulnerability
    IPS: 11321 “Internet Explorer Memory Corruption Vulnerability (MS15-124) 6”
  • CVE-2015-6153 Microsoft Browser Memory Corruption Vulnerability
    There are no known exploits in the wild.
  • CVE-2015-6154 Microsoft Browser Memory Corruption Vulnerability
    GAV: “Malformed.html.TL.265”
  • CVE-2015-6155 Microsoft Browser Memory Corruption Vulnerability
    There are no known exploits in the wild.
  • CVE-2015-6156 Internet Explorer Memory Corruption Vulnerability
    IPS: 11322 “Internet Explorer Memory Corruption Vulnerability (MS15-124) 7”
  • CVE-2015-6157 Internet Explorer Information Disclosure Vulnerability
    There are no known exploits in the wild.
  • CVE-2015-6158 Microsoft Browser Memory Corruption Vulnerability
    There are no known exploits in the wild.
  • CVE-2015-6159 Microsoft Browser Memory Corruption Vulnerability
    IPS: 11330 “Microsoft Browser Memory Corruption Vulnerability (MS15-124) 3”
  • CVE-2015-6160 Internet Explorer Memory Corruption Vulnerability
    IPS: 11323 “Internet Explorer Memory Corruption Vulnerability (MS15-124) 8”
  • CVE-2015-6161 Microsoft Browser ASLR Bypass
    There are no known exploits in the wild.
  • CVE-2015-6162 Internet Explorer Memory Corruption V
    ulnerability
    There are no known exploits in the wild.
  • CVE-2015-6158 Microsoft Browser Memory Corruption Vulnerability
    There are no known exploits in the wild.

MS15-125 Cumulative Security Update for Microsoft Edge

  • CVE-2015-6139 Microsoft Browser Elevation of Privilege Vulnerability
    There are no known exploits in the wild.
  • CVE-2015-6140 Microsoft Browser Memory Corruption Vulnerability
    IPS: 11325 “Microsoft Browser Memory Corruption Vulnerability (MS15-124) 1 “
  • CVE-2015-6142 Microsoft Browser Memory Corruption Vulnerability
    IPS: 11326 “Microsoft Browser Memory Corruption Vulnerability (MS15-124) 2”
  • CVE-2015-6148 Microsoft Browser Memory Corruption Vulnerability
    There are no known exploits in the wild.
  • CVE-2015-6151 Microsoft Browser Memory Corruption Vulnerability
    There are no known exploits in the wild.
  • CVE-2015-6153 Microsoft Browser Memory Corruption Vulnerability
    There are no known exploits in the wild.
  • CVE-2015-6154 Microsoft Browser Memory Corruption Vulnerability
    GAV: “Malformed.html.TL.265”
  • CVE-2015-6155 Microsoft Browser Memory Corruption Vulnerability
    There are no known exploits in the wild.
  • CVE-2015-6158 Microsoft Browser Memory Corruption Vulnerability
    There are no known exploits in the wild.
  • CVE-2015-6159 Microsoft Browser Memory Corruption Vulnerability
    IPS: 11330 “Microsoft Browser Memory Corruption Vulnerability (MS15-124) 3”
  • CVE-2015-6168 Microsoft Edge Memory Corruption Vulnerability
    IPS: 11328 “Microsoft Edge Memory Corruption Vulnerability (MS15-125) “
  • CVE-2015-6169 Microsoft Edge Spoofing Vulnerability
    There are no known exploits in the wild.
  • CVE-2015-6170 Microsoft Edge Elevation of Privilege Vulnerability
    IPS: 11329 “Microsoft Edge Elevation of Privilege Vulnerability (MS15-125) “
  • CVE-2015-6176 Microsoft Edge XSS Filter Bypass Vulnerability
    There are no known exploits in the wild.

MS15-126 Cumulative Security Update for Jscript and VBScript to Address Remote Code Execution

  • CVE-2015-6135 Scripting Engine Information Disclosure Vulnerability
    IPS: 11317 “Microsoft Scripting Engine Information Disclosure Vulnerability (MS15-124) “
  • CVE-2015-6136 Scripting Engine Memory Corruption Vulnerability
    IPS: 11324 “Microsoft Scripting Engine Memory Corruption Vulnerability (MS15-124) “

MS15-127 Security Update for Microsoft Windows DNS to Address Remote Code Execution

  • CVE-2015-6125 Windows DNS Use After Free Vulnerability
    There are no known exploits in the wild.

MS15-128 Security Updates for Microsoft Graphics Component to Address Remote Code Execution

  • CVE-2015-6106 Graphics Memory Corruption Vulnerability
    There are no known exploits in the wild.
  • CVE-2015-6107 Graphics Memory Corruption vulnerability
    SPY: 4276 “Malformed-File doc.MP.30”
  • CVE-2015-6108 Graphics Memory Corruption vulnerability
    There are no known exploits in the wild.

MS15-129 Security Update for Silverlight to Address Remote Code Execution

  • CVE-2015-6114 Microsoft Silverlight Information Disclosure Vulnerability
    There are no known exploits in the wild.
  • CVE-2015-6165 Microsoft Silverlight Information Disclosure Vulnerability
    There are no known exploits in the wild.
  • CVE-2015-6166 Microsoft Silverlight RCE Vulnerability
    There are no known exploits in the wild.

MS15-130 Security Update for Microsoft Uniscribe to Address Remote Code Execution

  • CVE-2015-6130 Windows Integer Underflow Vulnerability
    SPY: 3223 “Malformed-File ttf.MP.7”

MS15-131 Security Update for Microsoft Office to Address Remote Code Execution

  • CVE-2015-6040 Microsoft Office Me
    mory Corruption Vulnerability
    SPY: 3226 “Malformed-File xls.MP.51”
  • CVE-2015-6118 Microsoft Office Memory Corruption Vulnerability
    SPY: 1007 “Malformed-File doc.MP.33”
  • CVE-2015-6122 Microsoft Office Memory Corruption Vulnerability
    SPY: 3224 “Malformed-File xls.MP.50”
  • CVE-2015-6124 Microsoft Office Memory Corruption Vulnerability
    SPY: 3225 ” Malformed-File doc.MP.35″
  • CVE-2015-6172 Microsoft Office RCE Vulnerability
    SPY: 3863 ” KeywordFind.B Installer”
  • CVE-2015-6177 Microsoft Office Memory Corruption Vulnerability
    SPY: 1008 ” Malformed-File xls.MP.49″

MS15-132 Security Update for Microsoft Windows to Address Remote Code Execution

  • CVE-2015-6128 Windows library loading elevation of privilege vulnerability
    SPY: 1010 ” Malformed-File doc.MP.34″
  • CVE-2015-6177 Windows library loading elevation of privilege vulnerability
    SPY: 1011 ” Malformed-File ppsx.MP.1″
  • CVE-2015-6177 Windows library loading elevation of privilege vulnerability
    SPY: 2345 ” Malformed-File ppt.MP.4″

MS15-133 Security Update for Windows PGM to Address Elevation of Privilege

  • CVE-2015-6126 Windows PGM UAF Elevation of Privilege Vulnerability
    There are no known exploits in the wild.

MS15-134 Security Update for Windows Media Center to Address Remote Code Execution

  • CVE-2015-6127 Windows Media Center Information Disclosure Vulnerability
    IPS: 11327 ” Windows Media Center Information Disclosure Vulnerability”
  • CVE-2015-6131 Media Center Library parsing RCE vulnerability
    There are no known exploits in the wild.

MS15-135 Security Update for Windows Kernel-Mode Drivers to Address Elevation of Privilege

  • CVE-2015-6171 Windows Kernel Memory Elevation of Privilege Vulnerability
    This is a local Vulnerability
  • CVE-2015-6173 Windows Kernel Memory Elevation of Privilege Vulnerability
    This is a local Vulnerability
  • CVE-2015-6174 Windows Kernel Memory Elevation of Privilege Vulnerability
    This is a local Vulnerability
  • CVE-2015-6175 Windows Kernel Memory Elevation of Privilege Vulnerability
    This is a local Vulnerability

Holiday Shopping Season: Increased Online Shopping and Increased Malicious Email Threats (Dec 4, 2015)

/in /by

Holiday Shopping Season: Increased Online Shopping and Increased Malicious Email Threats

In this SonicAlert we will briefly discuss the seasonal increase in online shopping, and some of the types of malicious email campaigns that are taking advantage of the flurry of online shopping at this time of the year.

The two charts shown below show the network traffic patterns for Amazon Web traffic (www.amazon.com) during the month of November for 2014, and 2015. In the charts you can see an slight increase on the day or two before Thanksgiving Day–Thursday, November 27, 2014, and Thursday, November 26, 2015. Also, you can see a huge spike on the corresponding Cyber Mondays, December 1st, 2014, and November 30th, 2015, respectively.

Amazon.com HTTP Traffic Hits for the days of November 2014
Amazon.com HTTP Traffic Hits for the days of November 2014

Amazon.com HTTP Traffic Hits for the days of November 2015

The increase in shopping at this time of year creates an opportunity for cyber criminals to take advantage of consumers looking for deals, as well as people who have ordered goods online and are expecting packages in the postal service.

Phishing Emails

Phishing emails are emails that use social engineering to deceive users into believing that the email is coming from a legitimate source with whom the recipient already established a relationship of trust. The email will try to entice the recipient to click on a link in the email which will take the useer to a website that appears to be owned and operated by the trusted entity. The goal of the phishing scam is to acquire the real login credentials, and other personally identifying information (PII) like credit card numbers, Social Security numbers (SSNs), birth dates, etc., anything that will allow the theif to gain access to the users’ online accounts, bank accounts, etc. Campaigns we have seen during past Holiday seasons include fraudulent emails appearing to be from sites like Amazon.com, U.S.P.S., FedEx, and other companies involved in holiday commerce. A typical malicious email will be from a domain like customer_service@amazon.com–0123-xyz.malicious-site.com, and contain a message about a free gift card, or an order confirmation request, or shipment tracking links. These links go to the attacker’s domain, malicious-site.com, and not amazon.com.

Dell SonicWALL is providing protection from malicious emails with Email Security and Gateway Anti-Virus (GAV) solutions. Multiple GAV signatures have been created to protect customers. The following are some of the types of email attachments we are seeing, and the GAV signatures that are detecting them:

Subject Filename Detection/Prevention
Added security to your debit card Verify.html GAV: Phish.A_31 (Trojan)
DHL Delivery Parcel dispatch notification DHL Line Express tracking.html GAV: Phish.A_28 (Trojan)
Payment Confirmation Swift Download_Payment-Copy.html.html GAV: Phish.AL (Trojan)
Code:[******* **.****] Refund On Pending ! Refund-Form.html GAV: Phish.A_18 (Trojan)

Trojan Emails

Trojan emails are emails that have malicious files as attachments to the email. Trojan emails can come from trusted sources, like your friends, or acquaintances–people from whom you have received (incident-free) emails in the past, or from unknown sources. These trojan file attachments appear to be legitimate documents and files, eg. xls, doc, exe, js, html, but they contain malicious code–macros, exploit code, shellcode, process injection code, or other malware that can take control of the unpatched program software that opens them, or even take over your unpatched operating system (rootkits). The malicious code then goes on to replicate the attack campaign by getting control of your email accounts and spamming out malicious emails to your contacts from you.

Subject Filename Detection/Prevention
Track Your Shipment DHL Shipping Document DHL Shipment Notification DHL001895.exe GAV: Injector.C_42 (Trojan)
Shipment Tender Notice SID ********** 1454136866784532.exe GAV: FileLocker.A_52 (Virus)
Invoices facture_37854634_181115.exe GAV: Kryptik.D_33 (Trojan)
November Invoice INV-**** from Eye on Books Invoice INV-9771.xls GAV: Downloader.AN_6 (Trojan)

How to Stay Safe

An important skill to stay safe online is how to identify fraudulent domain names used in malicious links in emails. Scammers will usually try to deceive end users by disguising the true second-level domain, by prepending legitimate, familiar names to the beginning of hostnames. Appearing to come from a legitimate sources, the malicious email will contain links to sites that host exploit code with the hope that the user have unpatched systems and vulnerable web browsers, and the goal of compromising the user’s system. Other attack vectors come directly in email attachments–word docs, executables, and other infected files.

Best practices for avoiding email scams

  • Never click on links in emails without thinking about it carefully.
  • Authenticate the sender: Is the sender truly who they say they are? Do I recognize and trust the sender?
  • Educate end users on how to hover over links in emails to identify the real domain name in the email from address, as well as in any links in the email body.
  • If there is any doubt about the authenticity of this domain name? Taking the example above, customer_service@amazon.com–0123-xyz.malicious-site.com. Is this domain in the sender’s email address, malicious-site.com, owned by Amazon or by someone else? (The easiest way is just to go to amazon.com and take care of any notifications or required actions by first logging-in to the site directly, rather than clicking on links in emails.
  • For users that are unable to identify domain names in links and email addresses, advise them never to click on a link sent in an email, but rather to open the site in a browser by typing manually in the address bar to ensure that they are going to the legitimate site.
  • Always report suspicious emails to your Security Administrator, or directly to the site being spoofed. If in doubt, ask before clicking.
  • Never open file attachments from unknown/untrusted sources.
  • Stay up-to-date with software patches for Operating Systems, web browsers and all other software on the computer.
  • Install and keep up-to-date host-based, and network-based Gateway Anti-Virus, and Intrusion Detection systems.